1677bc66ed7f88e9c69b31b50b5cc8a92466f01db7f422c06ae5632ec19437ef

Resubmissions

11/09/2024, 04:19

240911-extdwstaqc 8

11/09/2024, 04:16

240911-ev5zxatajg 8

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/09/2024, 04:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CheatEngine75.exe
Size

28.6MB
MD5

c0b4fec8ef1a3a96c25952d1711f14bb
SHA1

b3951161dd9a163b60c6f2d7ac28435f1b8d0d64
SHA256

1677bc66ed7f88e9c69b31b50b5cc8a92466f01db7f422c06ae5632ec19437ef
SHA512

94dc06b3d6d45aee1e52ca1be3c76e6b4d862930db037e627c086613adc15aa4f036c27bd300094176fe9d5ab421d44ad2819da7acad9af602de1f648c05c8e0
SSDEEP

786432:UTCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHHq:U2EXFhV0KAcNjxAItjK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
416	CheatEngine75.tmp

Loads dropped DLL 1 IoCs

pid	Process
416	CheatEngine75.tmp

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\Browser\Installed	CheatEngine75.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp
416	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 416	5100	CheatEngine75.exe	79
PID 5100 wrote to memory of 416	5100	CheatEngine75.exe	79
PID 5100 wrote to memory of 416	5100	CheatEngine75.exe	79

C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
"C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\Temp\is-GD8A3.tmp\CheatEngine75.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GD8A3.tmp\CheatEngine75.tmp" /SL5="$C0168,29071676,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GD8A3.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
8d9b9796b574d145614d27a8729ccc67

SHA1
e38ec447a1687cb5bb21a1ed887e83cd8f35d836

SHA256
58407a41b4c4c4b88d0b8b0ccf5b641102d00c48c3443185c72ba10dcddecc07

SHA512
855483eff0c38ebf9575dab1241ed8c74075765ed88b1b3450d2cdf2a469d6beeb013f182b2ff4c1bd81bf2d26f061b72f4dff74c871414b44c701df7855e2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I8KKI.tmp\logo.png

Filesize
246KB

MD5
f3d1b8cd125a67bafe54b8f31dda1ccd

SHA1
1c6b6bf1e785ad80fc7e9131a1d7acbba88e8303

SHA256
21dfa1ff331794fcb921695134a3ba1174d03ee7f1e3d69f4b1a3581fccd2cdf

SHA512
c57d36daa20b1827b2f8f9f98c9fd4696579de0de43f9bbeef63a544561a5f50648cc69220d9e8049164df97cb4b2176963089e14d58a6369d490d8c04354401

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I8KKI.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
b83f5833e96c2eb13f14dcca805d51a1

SHA1
9976b0a6ef3dabeab064b188d77d870dcdaf086d

SHA256
00e667b838a4125c8cf847936168bb77bb54580bc05669330cb32c0377c4a401

SHA512
8641b351e28b3c61ed6762adbca165f4a5f2ee26a023fd74dd2102a6258c0f22e91b78f4a3e9fba6094b68096001de21f10d6495f497580847103c428d30f7bb

Download Submit
memory/416-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/416-25-0x0000000004450000-0x0000000004590000-memory.dmp

Filesize
1.2MB

Download
memory/416-26-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/416-28-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/5100-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5100-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5100-27-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download